Found a security issue?

At SBAB we take security of our system very seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users. We constantly strive to deliver high quality services as secure as possible, despite of this error do some times occur. If you have found a security flaw we encourage you to contact us, we work to continuous improvement and would like to hear about it to be able to address it as soon as possible.

How do you report?

We prefer to be contacted by encrypted email to with our PGP-key. When sending in your report make sure that you have included the following information.

  • Your contact information (Name, email, phone number and your PGP-key).
  • As thorough explanation as possible of the vulnerability containing details about the site, URL and type of vulnerability. This is needed for us to reproduce the problem and address the issue.
  • If applicable, a screenshot of the vulnerability you have found.

What do we expect of you?

It is important for both us and our clients' security that you follow good practice, i.e. that:

  • We expect that you don’t abuse our services.
  • You do not use the vulnerability to remove or modify information.
  • You do not affect the availability of our services through denial of service attacks.
  • You give us an opportunity to fix the reported vulnerability before going public with it.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • Don’t exceed the scope of our services: “*; *;;”.

What can you expect of us?

  • We will do our best to get back to you within 72 hours, with a confirmation that we have received your report and keep you updated while we process the issue.
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report.
  • We will keep you informed of the progress towards resolving the problem.
  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).

SBAB Hall of Honors